Defender Monitoring, Logging and Rendering is Wonky

Win10 Pro 20H2, custom system built Feb 2020
GW Elite 2.2.291 - Ethernet, no Wi-Fi

This is a report of inconsistencies I’ve been following for a while in GW’s behavior while handling network dependent Defender components. It should be emphasized that the behavior •does not break• any of the processes discussed.

FYI: There are currently two Defender Platform folders and their timestamps…
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2011.6-0 - 12/3/2020
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2101.9-0 - 2/11/2021
It is common to see two or three version folders under \Platform, for which a full understanding eludes me and well above my pay grade.

Microsoft Malware Protection Command Line Utility - mpcmdrun.exe

Note: Every four hours my crafted task “mpcmdrun.exe -signatureupdate” runs in Task Scheduler.

There are five entries under Inactive Apps. There is no entry under Active Apps.
c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2003.8-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2004.6-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2005.5-0\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\4.18.2010.7-0\mpcmdrun.exe

Graph reveals the last time stamp is 6/3/20 for 4.18.2005.5-0. This one has a grey, two arrows icon, the others a black shield. A record for 4.18.2010.7-0 does not exist in Graph. All are First Network Activity.

Nirsoft’s LastActivityView logs events for the current Platform, data here pulled from the exported CSV file.
2/12/2021, 11:02:01 AM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\MpCmdRun.exe

Antimalware Service Executable - msmpeng.exe

Under Active Apps there is one entry.
c:\programdata\microsoft\windows defender\platform\4.18.2011.6-0\msmpeng.exe

Under Inactive Apps, there is one entry;
c:\programdata\microsoft\windows defender\platform\4.18.1911.3-0\msmpeng.exe

In Graph, the last times stamp for 4.18.1911.3-0 is 2/7/20. For 4.18.2011.6-0, 2/5/21. Both are First Network Activity. The former has a grey, two arrows icon, the latter a white square with a blue bar.

From LastActivityView.
2/11/2021, 4:10:09 PM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\MsMpEng.exe

Microsoft Network Realtime Inspection Service - NisSrv.exe

There are two entries under Active Apps, and four under Inactive Apps.
c:\programdata\microsoft\windows defender\platform\4.18.2011.6-0\nissrv.exe
c:\programdata\microsoft\windows defender\platform\4.18.2101.9-0\nissrv.exe
Inactive: 4.18.2007.8, 4.18.2008.9, 4.18.2009.7, 4.18.2010.7.

From LastActivityView.
2/11/2021, 4:10:13 PM, C:\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\Platform\4.18.2101.9-0\NisSrv.exe

While GW’s handling of NisSrv.exe seems to be OK, the others are not.

A short while ago, Microsoft abandoned the previous paths
C:\Program Files\Windows Defender
C:\Program Files (x86)\Windows Defender
for storage of Defender resources.

Other security centric layers, like Malicious Software Removal Tool and Windows Defender SmartScreen, escape handling issues by virtue of their location in \System32. Ditto for Host Process for Windows Services and NT Kernel & System for whatever security support they might provide.

I understand the formidable challenge the Windows Defender version paths present to network utilities and tools developers, I’m hoping the GW team can eventually get all this squared away.

While security isn’t affected, none of the described behavior breaks anything, it would be nice for GW’s otherwise superb monitoring and logging of these critical processes to be current and accurate.



Thanks for your feedback.

I have searched for some online documentation of how all this works with Windows but I have been unable to find anything so far. Perhaps Microsoft does not document this for security reasons.

Microsoft seems to change these things up quite often so it’s quite difficult for us to keep on top of it.